Google knows your every move even with ‘location history’ off

Android phones are generating data that provides Google with a user’s location even when ‘location history’ is turned off.

Chris Griffith and Kieran Gair

4 min read

6:35AMAugust 18, 2020.

Updated 10:58PMAugust 18, 2020

Android users are being misled over Google’s incognito privacy feature.

Android handsets are tracking where users are, and sending that information to Google, even if location history settings are turned off and the incognito privacy feature is turned on.

Tests conducted by The Australian in Sydney — in which information being sent to Google was duplicated and analysed — show the technology giant tracks the phone’s movement even when those settings, ostensibly meant to protect the privacy of users, are activated.

Australian Privacy Foundation chairman David Vaile said the findings were disturbing, and Android users were being misled to think that the incognito privacy feature, where the device does not record any activity, meant that Google was not tracking the phone’s location either.

“They’ve proven time and time again that they’re unwilling to accept restraints on their data-collection practices,” Mr Vaile said. “They have essentially kept harvesting the data while giving a misleading impression that they have obeyed your wishes.”

Google’s collection of user data is already of concern to the Australian Competition & Consumer Commission, which last month launched Federal Court proceedings alleging the company had misled customers by not explicitly asking them for their permission to link their names with other identifying information such as internet activity. That data was later used to display advertising.

The Australian’s tests, which were conducted with the assistance of Oracle, included the interception of a secret stream of data from Android phones to Google, including location data, information about hundreds of Wi-Fi routers and mobile phone towers which users passed.

Google Map voice prompts directing users through traffic were also recorded and sent to Google along with the locations. The Australian was able to replay those prompts from the data.

The Google office building in New York. It is one of the largest technology owned office buildings in the world.

The Australian has previously reported Android phones were transmitting a vast array of information — from locations to how active and how high up in a building users were — back to Google.

A spokesman for the Office of the Australian Information Commissioner, the nation’s data protection agency, said the collection of personal information by any company “must be collected by fair and lawful means, and individuals adequately informed about the purposes for the collection”.

A Google spokeswoman said: “Geographic information helps us provide useful services when people interact with our products, like locally relevant search results and traffic predictions.”

While Google has previously said it does not sell data to third parties, applications installed on Android devices could collect and track user locations and make those details available to others.

“People can disable location history and ‘web & app activity’, and edit or delete the information, at any time,” the Google spokeswoman said.

Disabling location history, however, does not end the flow of information from an Android device to Google, The Australian’s tests show. (Oracle, which ran the tests, is involved in separate and long-running litigation against Google.)

Richard Buckland, a computer systems security researcher at the University of NSW, said it was “almost impossible” to stop Google storing a user’s location data. “When you make that change in your settings you’re just politely asking Google not to record your location,” he said. “You’re essentially just saying, look I know you know where I am, but please don’t record my location.”

Professor Buckland said Google would automatically store time-stamped location data without asking, often in violation of a user’s preference, and even with location history turned off.

“It’s almost impossible for a normal user to be confident they’re not being tracked,” he said. “If you don’t want Google to know where you are, don’t take your phone with you.”

He said that even if a user “jumped through all the hoops” Google could still pinpoint the person’s latitude and longitude and link it to their account when they search for topics.

“It’s in their interests to collect as much information from you as possible and I would advise people who think they’ve managed to conceal their location to be very, very careful.”

ABOUT THE PROJECT (Q&A)

What was the experiment?

We tested various phone location settings to see what data an Android phone sends to Google beyond what the phone displays openly. It follows on from this.

What did we find?

We found location data was sent with location history set to OFF and incognito mode in Google Maps set to ON. We believe the public would expect to travel anonymously with these settings.

What else did we find?

One experiment involved travelling with these settings (location history OFF and incognito mode ON) in a car while performing voice turn-by-turn navigation with Google Maps.

The resulting data stream not only included location data but also voice recordings of the directions that Google Navigation spoke en route. I could play back all the turn-by-turn voice recordings sent with the data stream.

The phones also collected details of Wi-Fi routers in the vicinity, such as router network names (SSIDs) and equipment identifiers (MAC addresses). The stream included details of dozens of Wi-Fi routers in an apartment building, and routers at a work location.

How is the data collected?

Software was installed on two phones that would “tap” this extra stream of data sent to Google, and send the data to a server in the US operated by Oracle. The server was programmed to unravel this stream of data into its component parts.

We set up experiments, varying the settings between phones to see how each setting affected the data stream. We could access and analyse the data in a human-understandable form through this US software/server set-up.

Why undertake this?

Android users implicitly accept that they offer their data to Google for advertising purposes in return for a free operating system for their phone. However, the use of personal data generated by phones nowadays is distributed to many more agencies than advertisers, with brokers selling it to police forces, governments and spy agencies. It is likely that criminal organisations can also tap into this data. More and more agencies and people are getting access to your phone data.

Is the concern just the data sent to Google?

No. If a company such as Oracle can unravel this data, other organisations can too, by getting you to install apps and access your personal, phone and location information through them.